cycbot | b46fdb1531449902376d8bc1b38089d05a440aa7ea09ea2e45d5a17c2aff5e8f

General

Target

918b29a560e7609cd39d2142f72bf4ed_JaffaCakes118.exe
Size

197KB
MD5

918b29a560e7609cd39d2142f72bf4ed
SHA1

6e3dda463392fb0ab497ebd0945bc550b456c282
SHA256

b46fdb1531449902376d8bc1b38089d05a440aa7ea09ea2e45d5a17c2aff5e8f
SHA512

2dc2974183bc36cfc9311ea5dc195d3e5fa46d7f66660044f8f7b7b6228c9f36284120b16c4dfce3ecd156cebe7cdc97f83e5098615b5c89fdabbff1185d8534
SSDEEP

3072:pewiMia34BPppLj5nB4BoKWvSpk4SyEo0ltWofVpapaXZwYK9eo3EQm/2:Ya38jBB43HSyVE4ozapGyYKso0Q

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

Processes:

resource	yara_rule
behavioral1/memory/2528-6-0x0000000000400000-0x0000000000449000-memory.dmp	family_cycbot
behavioral1/memory/2552-14-0x0000000000400000-0x0000000000449000-memory.dmp	family_cycbot
behavioral1/memory/2328-82-0x0000000000400000-0x0000000000449000-memory.dmp	family_cycbot
behavioral1/memory/2552-187-0x0000000000400000-0x0000000000449000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2552-1-0x0000000000400000-0x0000000000449000-memory.dmp	upx
behavioral1/memory/2528-5-0x0000000000400000-0x0000000000449000-memory.dmp	upx
behavioral1/memory/2528-6-0x0000000000400000-0x0000000000449000-memory.dmp	upx
behavioral1/memory/2552-14-0x0000000000400000-0x0000000000449000-memory.dmp	upx
behavioral1/memory/2328-81-0x0000000000400000-0x0000000000449000-memory.dmp	upx
behavioral1/memory/2328-82-0x0000000000400000-0x0000000000449000-memory.dmp	upx
behavioral1/memory/2552-187-0x0000000000400000-0x0000000000449000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

918b29a560e7609cd39d2142f72bf4ed_JaffaCakes118.exe918b29a560e7609cd39d2142f72bf4ed_JaffaCakes118.exe918b29a560e7609cd39d2142f72bf4ed_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	918b29a560e7609cd39d2142f72bf4ed_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	918b29a560e7609cd39d2142f72bf4ed_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	918b29a560e7609cd39d2142f72bf4ed_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

918b29a560e7609cd39d2142f72bf4ed_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2552 wrote to memory of 2528	2552	918b29a560e7609cd39d2142f72bf4ed_JaffaCakes118.exe	30
PID 2552 wrote to memory of 2528	2552	918b29a560e7609cd39d2142f72bf4ed_JaffaCakes118.exe	30
PID 2552 wrote to memory of 2528	2552	918b29a560e7609cd39d2142f72bf4ed_JaffaCakes118.exe	30
PID 2552 wrote to memory of 2528	2552	918b29a560e7609cd39d2142f72bf4ed_JaffaCakes118.exe	30
PID 2552 wrote to memory of 2328	2552	918b29a560e7609cd39d2142f72bf4ed_JaffaCakes118.exe	32
PID 2552 wrote to memory of 2328	2552	918b29a560e7609cd39d2142f72bf4ed_JaffaCakes118.exe	32
PID 2552 wrote to memory of 2328	2552	918b29a560e7609cd39d2142f72bf4ed_JaffaCakes118.exe	32
PID 2552 wrote to memory of 2328	2552	918b29a560e7609cd39d2142f72bf4ed_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\918b29a560e7609cd39d2142f72bf4ed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\918b29a560e7609cd39d2142f72bf4ed_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\AppData\Local\Temp\918b29a560e7609cd39d2142f72bf4ed_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\918b29a560e7609cd39d2142f72bf4ed_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2528
- C:\Users\Admin\AppData\Local\Temp\918b29a560e7609cd39d2142f72bf4ed_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\918b29a560e7609cd39d2142f72bf4ed_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\F3B1.7BE

Filesize
1KB

MD5
638d50581c700bf44b82a4dd506168f7

SHA1
4fd2337d2fe8ec624fb7919f71244928a9060a7a

SHA256
7e9744c609e742ccc2ddbf3020b7a09ca270c38dba91dd57085d41af341339fc

SHA512
010c7118735e1aac5d321160fe888dc0021f0a08b484364555cbcf229a90e77c35ffde17aa74a6323485f22cb83c31c01664b88ebbaad34f1245221a53136908

Download Submit
C:\Users\Admin\AppData\Roaming\F3B1.7BE

Filesize
600B

MD5
c04e357e31db48abf9041409ca66ff38

SHA1
65d8a0fa5c7a2d88087a9b33965d87dcb3de92d5

SHA256
ca2b91f63fba120cfcb5553fdb1784a410d13d7d1544e4fc760c0b4d34d80f30

SHA512
22cec3bd7c84bf410aed0d806e7921a3ec9eed544a0d7d29a1468e7c80a67439cb8e24d2c29d3275e428cfcaa95137528f1fdf3a8f81833cba247e61dfc0ffd8

Download Submit
C:\Users\Admin\AppData\Roaming\F3B1.7BE

Filesize
996B

MD5
63c0b0ec66e4e8812905e80838ad0605

SHA1
24bc30a2eb2d662872990155ff00b034302d6a1b

SHA256
be9d7d271d3502fe46963549af2498cf3960511a5692de5babf6f3708aa795bf

SHA512
48d56dfbe5f97065478334d33af41c4fd76a92beab1e1d032d868aedb2f3d533f1b46b031e515fb7cf42dc526464d38e71fd9857bfdcbfec2a7276ef8a46d1d9

Download Submit
memory/2328-81-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2328-82-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2528-5-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2528-4-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2528-6-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2552-1-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2552-14-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2552-187-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads